1

我将这个Vault docker 映像用于我的本地测试环境。但它只将所有秘密存储在内存中。因此,如果我重新启动计算机,那么我所有的测试秘密都会消失,我每次都要手动重新创建它们。我该如何解决这个问题?

我的.env文件:

COMPOSE_PROJECT_NAME=vault
VAULT_DEV_ROOT_TOKEN_ID=myroot
VAULT_ADDR=http://127.0.0.1:8200

我的docker-compose.yml文件:

version: "3.8"
services:
    vault:
        env_file:
            - .env
        networks:
            - public
        image: vault
        restart: unless-stopped
        ports:
            - 8200:8200
        cap_add:
            - IPC_LOCK            
        container_name: "${TARGET_ENVIRONMENT}_${COMPOSE_PROJECT_NAME}_vault"
        volumes:
            - vault-logs:/vault/logs
            - vault-file:/vault/file
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.vault.service=vault"
            - "traefik.http.routers.vault.entrypoints=https"
            - "traefik.http.routers.vault.rule=Host(`vault.${HOST_URL}`)"
            - "traefik.http.routers.vault.tls=true"
            - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
            - "traefik.http.services.vault.loadbalancer.server.port=8200"
volumes:
    vault-logs: 
    vault-file:
networks:
    public:
        external: true
4

1 回答 1

0

vault二进制文件的帮助说:

  -dev
      Enable development mode. In this mode, Vault runs in-memory and starts
      unsealed. As the name implies, do not run "dev" mode in production. The
      default is false.

模式下不支持其他秘密后端-dev。如果您需要数据持久性,您应该部署一个完整的保管库实例。也许只是使用本地file后端存储数据的最简单的一个:

backend "file" {
  path = "/path/to/a/file/in/a/docker/volume"
}

此解决方案最复杂的部分将是解封操作的实施,除非您可以访问存储此类密钥的云提供商。

于 2021-10-09T13:42:34.240 回答